Ensure Single Logout for Single Sign-On Web Applications
Web apps with Single Sign-On should also log users out from all connected services.
Plain language
When you log out of a system that uses Single Sign-On (SSO), this control ensures you are automatically logged out of all related services, not just the one you're leaving. This is important because if you forget to log out from multiple places, someone else might gain unauthorized access to your accounts, risking your company's sensitive information.
Framework
ASD Information Security Manual (ISM)
Control effect
Preventative
Classifications
NC, OS, P, S, TS
ISM last updated
May 2025
Control Stack last updated
19 Mar 2026
E8 maturity levels
N/A
Guideline
Guidelines for software developmentSection
Web application developmentOfficial control statement
Web applications that support Single Sign On equally support Single Logout.
Why it matters
Without Single Logout in SSO, ending a session in one app may not terminate sessions in other linked apps, enabling unauthorised access to organisational data.
Operational notes
Verify SSO Single Logout ends IdP and all relying-party sessions; test browser/back-button and multi-tab scenarios after changes to SSO or app integrations.
Implementation tips
- The IT team should ensure that the Single Sign-On system is configured to support Single Logout. This can be done by checking settings in the SSO software that enable logout actions to extend across all connected services.
- System administrators should regularly test the Single Logout process to confirm it works as expected. They can simulate user actions to log out from one application and verify that it successfully ends sessions on all integrated applications.
- Security officers should inform employees about the importance of using Single Logout. This can be included in regular cybersecurity training sessions to raise awareness of secure login and logout practices.
- HR and IT should collaborate to update new employee onboarding processes. Include specific guidance on how to use SSO and the importance of completing logout actions to protect company data.
- The IT support team should create easy-to-follow guides for employees, explaining how to use Single Logout. This can include step-by-step instructions with screenshots or short video tutorials, ensuring everyone follows the same method.
Audit / evidence tips
- AskThe configuration settings of the Single Sign-On system GoodShows Single Logout is consistently applied for every connected application
- GoodWill include timestamps indicating simultaneous logout from all systems
- AskDocumentation of SSO testing procedures GoodWill provide dates and outcomes of these tests, verifying that Single Logout works as intended
- GoodIncludes training completion records from all relevant staff members
- AskIncident reports involving user sessions GoodWould be an absence of such incidents, or records showing that any found issues were quickly addressed
Cross-framework mappings
How ISM-2067 relates to controls across ISO/IEC 27001, ISO/IEC 42001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| extension Depends on (1) expand_less | ||
| Annex A 8.26 | ISM-2067 requires web applications that support Single Sign-On (SSO) to equally support Single Logout (SLO) to ensure that a user’s logou... | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.